How WSA can detection keep up with latest malware mutation?

It looks like WSA just use MD5 as signature for detection, how can its detection keep up with latest malware that can easily modify little to change the MD5?
Other AVs use generic signature, but MD5 is unique, that means WSA need thousands of MD5 signature for just one malware variant, this is not so efficient.

It looks like WSA just use MD5 as signature for detection, how can its detection keep up with latest malware that can easily modify little to change the MD5?
Other AVs use generic signature, but MD5 is unique, that means WSA need thousands of MD5 signature for just one malware variant, this is not so efficient.

Click to expand...

Better than the others IMO:

Webroot SecureAnywhere - Cloud-Based Security Webroot SecureAnywhere installs in milliseconds, scans in less than two minutes and becomes more intelligent every day. Its 700-kilobyte client efficiently accesses more than 75 terabytes of malware data in our cloud-based Webroot Intelligence Network.
As this collective intelligence delivers comprehensive real-time protection, endpoints collect over 200 gigabytes of behavioral hashes each day. Unique URL and IP data feeds from strategic partners to further enrich our malware intelligence. As a result, Webroot SecureAnywhere becomes more powerful every minute, and more effective each time an endpoint is added anywhere in the world. http://www.webroot.com/En_US/business/secureanywhere-endpoint/

It looks like WSA just use MD5 as signature for detection, how can its detection keep up with latest malware that can easily modify little to change the MD5?
Other AVs use generic signature, but MD5 is unique, that means WSA need thousands of MD5 signature for just one malware variant, this is not so efficient.

Click to expand...

It uses MD5 just for the scan log, not for detection. It uses a vast amount of information instead of the MD5 for actual detection.